Re: Status of First-Party Sets

One thing is for sure — this is not a matter for W3C or the people here.
Thanks.


W dniu wt., 7.06.2022 o 09:15 James Rosewell <james@51degrees.com>
napisał(a):

> I believe that is a matter for the CMA rather than ING. ING monitor rather
> than make decisions. They need to monitor these discussions and more at the
> W3C.
>
>
>
> However we don’t need to ask the CMA to settle the matter. Google are
> bound
> <https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf>
> to GDPR on all matters related to privacy.
>
>
>
> *“Applicable Data Protection Legislation” means all applicable data
> protection and privacy legislation in force in the UK, including the Data
> Protection Act 2018, the UK General Data Protection Regulation (and
> regulations made thereunder) and the Privacy and Electronic Communications
> (EC Directive) Regulations 2003*
>
>
>
> First parties and third parties have no meaning under GDPR as confirmed
> <https://ico.org.uk/media/about-the-ico/documents/2619797/cma-ico-public-statement-20210518.pdf>
> by the ICO and CMA.
>
>
>
> *Box B: what is the difference between first-party and third-party data?
> Data is sometimes categorised according to the relationship between the
> party collecting and processing it and the individual or circumstance it
> relates to: • First-party data: data that is collected by a business
> through direct interaction with an individual providing or generating the
> data. For example, data collected by an online retailer regarding purchases
> made by consumers on its site. • Third-party data: data collected by a
> business not in direct interaction with the individual providing or
> generating the data, for example, through business partners. Digital firms
> that do not have a direct relationship with users frequently rely on
> third-party data. The boundaries between first and third-party data
> according to the above definition are not always clear, particularly when
> large companies own a variety of businesses, some of which have a
> relationship with the user and some of which do not. Both first-party and
> third-party data as defined above can include personal and nonpersonal
> data. Whether information is personal data depends on whether it relates to
> an identified or identifiable individual. There is no explicit reference to
> the distinction between first-party and third-party data in data protection
> law. 9 The descriptions of ‘first party’ and ‘third party’ are also used
> (though with a different meaning) in the context of cookies and similar
> technologies,10 which collectively form the key means by which information
> (including personal data) is collected and disseminated in online
> advertising. A cookie is generally identified as being first-party if the
> domain of the cookie matches the domain of the page visited and as being
> third-party in instances where the domain of the cookie does not match the
> domain of the website. This is not a rigid distinction. Some functions
> typically delivered through third party cookies can be done via first party
> cookies, even if a third party’s code and associated service is still
> involved. The rules on the use of cookies and similar technologies are
> specified in Regulation 6 of the Privacy and Electronic Communications
> Regulations 2003 (as amended) (‘PECR’), and oversight of these rules is one
> of the ICO’s regulatory functions. PECR provides more specific rules than
> the UK GDPR in a number of areas such as cookie use. It is also important
> to note that PECR’s provisions in this area apply whether or not personal
> data is processed.*
>
>
>
> Any proposal, change, or discussion that uses first and third party as
> justification will be a flagrant breach of the agreement between Google and
> the CMA as there is no distinction under GDPR.
>
>
>
> James
>
>
>
> *From:* Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com>
> *Sent:* 06 June 2022 19:22
> *To:* Travis Leithead <travis.leithead@microsoft.com>; James Rosewell <
> james@51degrees.com>; Kaustubha Govind <kaustubhag@google.com>; Theresa
> O'Connor <hober@apple.com>; Chris Wilson <cwilso@google.com>;
> yoavweiss@chromium.org; Léonie Watson <lwatson@tetralogical.com>;
> matthew.hancox@ing.com; david.verroken@ing.com
> *Cc:* public-privacycg@w3.org
> *Subject:* Re: Status of First-Party Sets
>
>
>
> Since Matthew and David are on this email, presumably they could tell us
> if FPS is or is not against the agreements Google has made with the CMA? I
> think a definitive statement in this matter would presumably help lead
> participants towards a best next step.
>
>
>
> -- Aram Zucker-Scharff
>
> The Washington Post
>
> +1-703-829-0532
>
>
>
>
>
> *From: *Travis Leithead <travis.leithead@microsoft.com>
> *Date: *Monday, June 6, 2022 at 2:10 PM
> *To: *James Rosewell <james@51degrees.com>, Kaustubha Govind <
> kaustubhag@google.com>, Theresa O'Connor <hober@apple.com>, Chris Wilson <
> cwilso@google.com>, yoavweiss@chromium.org <yoavweiss@chromium.org>,
> Léonie Watson <lwatson@tetralogical.com>, matthew.hancox@ing.com <
> matthew.hancox@ing.com>, david.verroken@ing.com <david.verroken@ing.com>
> *Cc: *public-privacycg@w3.org <public-privacycg@w3.org>
> *Subject: *Re: Status of First-Party Sets
> *CAUTION: EXTERNAL SENDER*
>
> > [..] I’m unsure how one would go about removing FPS from WICG. Perhaps
> the WICG chairs can advise?
>
>
>
> The WICG is home to over 120 [wicg.io]
> <https://urldefense.com/v3/__https:/wicg.io/__;!!M9LbjjnYNg9jBDflsQ!DT4A_609B6yiRxGLK4nQf6Gba25tsuH2agDoPU-xBAvTPr5Dj7n_1Pn9uQ2jnmTYs6qdsGbhTuKlmYbP-QtrU9U3t7RtLNxqZq-pV717$>
> unique incubations at varying stages of maturity and implementation. While
> I have been a co-chair, we have graduated numerous proposals into other
> venues, and archived others at the request of their owners, but we've never
> forcibly removed any incubations (even when they appear inactive for
> years). I think it would set a bad precedent to start now. The WICG is a
> field for sowing ideas; for this reason our criteria for acceptance is very
> low.
> ------------------------------
>
> *From:* James Rosewell <james@51degrees.com>
> *Sent:* Saturday, June 4, 2022 12:50 AM
> *To:* Kaustubha Govind <kaustubhag@google.com>; Theresa O'Connor <
> hober@apple.com>; Chris Wilson <cwilso@google.com>; yoavweiss@chromium.org
> <yoavweiss@chromium.org>; Léonie Watson <lwatson@tetralogical.com>;
> Travis Leithead <travis.leithead@microsoft.com>; matthew.hancox@ing.com <
> matthew.hancox@ing.com>; david.verroken@ing.com <david.verroken@ing.com>
> *Cc:* public-privacycg@w3.org <public-privacycg@w3.org>
> *Subject:* RE: Status of First-Party Sets
>
>
>
> Adding Matthew Hancox and David Verroken in their role as Monitoring
> Trustee
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gov.uk%2Fcma-cases%2Finvestigation-into-googles-privacy-sandbox-browser-changes%23monitoring-trustee-report&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QTqAadlA6ffoshp%2BTzTNi9EedtCMLGGme5SQ%2BtmTzRw%3D&reserved=0>
> of Google’s commitments with the CMA.
>
>
>
> Adding the chairs of Web Incubation Community Group (WICG) as the future
> home of FPS to seek their advice on removing FPS from WICG.
>
>
>
> To summarise the situations.
>
>
>
>    1. The chairs of Privacy CG who are employed by Apple, Microsoft, and
>    Mozilla have made a decision after two years to finish work on the proposal
>    due to a “lack of multi-implementer interest”.
>    2. The WICG, where two of the four chairs are employed by Google, and
>    the other two Microsoft and Tetralogical, are now going to take the FPS
>    forward because as the employee from Google asserts there is “multi-vendor
>    and web developer interest”.
>
> I would like to understand this interest based on the merits of the
> proposal rather than the market dominance of the proposer’s employer.
>
>
>
> Google control the web via their Chrome web browser accounting for 64%
> share of the market and over 75% share of the market for Chromium based
> browsers of which Google have effect control. See Statcounter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgs.statcounter.com%2Fbrowser-market-share%23monthly-200901-202205&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=w5t51BeP1Cf4%2FmLwm2RE0BNtT%2BQQSiQuQ6Ayoqd2qQ8%3D&reserved=0>
> .
>
>
>
> My interest in FPS is merely related to the fact that one cannot ignore
> any proposal from Google due to Google’s market dominance and control of
> Chromium. My interest is not related to any merits of the proposal. Is this
> also true of others in these groups? Who is interested based purely on the
> technical merits of the proposal? Could anyone even answer these questions
> openly due to the fear of being labelled “anti-Google” or “anti-privacy”?
>
>
>
> I do not see any merits to the proposal as drafted beyond identifying that
> the removal of so-called third-party cookies (3PC) by Google creates
> revenue problems for Google’s own brands (YouTube and Google), and that the
> largest advertisers from which Google generates revenue will be impacted by
> 3PC
>
> removal (Disney, ESPN, Hulu). Google’s Directors must find a way to
> protected that revenue. Large publishers operating multiple domains might
> also consider FPS as a hobbled way of continuing to operate their business
> once 3PC are removed, and therefore support the proposal as the “least
> worst” of Google’s proposals when considering their future revenues.
>
>
>
> FPS is also flawed for the following reasons.
>
>
>
>    1. FPS does not align to GDPR as required under Google’s commitments
>    with the CMA.
>    2. FPS centralizes administration of the web via an Independent
>    Enforcement Entity (IEE).
>    3. FPS continues to propagate the myth that there is a distinction
>    between first and third parties. Only data controllers and processors
>    matter under GDPR. Any work to improve privacy must seek to upgrade the
>    privacy boundary of the web in these terms and move away from domain names
>    alone.
>    4. The W3C Technical Architecture Group (TAG) in their review
>    <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3ctag%2Fdesign-reviews%2Fblob%2Fmain%2Freviews%2Ffirst_party_sets_feedback.md%23is-this-harmful-to-the-web&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VD59dZ2e4gfk8bLlny%2B9bcOajdqJLSncHfEaQ%2Fdh3AU%3D&reserved=0>
>    of FPS identified the competition impacting harm associated with FPS.
>
> *“It is likely that this proposal only benefits powerful, large entities
> that control both an implementation and services.”*
>
>
>
>    1. Movement for an Open Web (MOW), of which I’m Director, also analysed
>    <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmovementforanopenweb.com%2Fin-depth-analysis-of-googles-first-quarterly-report%2F&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XMlPMuBT0qTl3iABDi8J18FVvLESOsrg0Zc985XlHxw%3D&reserved=0>
>    Google’s first quarter report under the CMA commitments and identified the
>    need to apply non-discriminatory definitions for proposals like FPS.
>
> As WICG is in practice controlled by Google, and the “home” of Privacy
> Sandbox (PS) proposals, presumably to avoid the independence of other
> groups like Privacy CG which view PS proposals less favourably, I’m unsure
> how one would go about removing FPS from WICG. Perhaps the WICG chairs can
> advise?
>
>
>
> However, my preference would be for FPS to be voluntarily abandoned by
> Google, and for Google to consider solutions that work for all participants
> of the web and not just a narrow set of large entities. To this end I have
> proposed the modified GDPR Validated Sets
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Ffirst-party-sets%2Fpull%2F86&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PY5xgAaUuyfWyclt00FtmWiWhxAv1uS7K%2FaIBpNwOY8%3D&reserved=0>
> (GVS) derivative.
>
>
>
> As participants must follow every proposal from Google to ensure they can
> manage expectations within their businesses, with customers, and other
> stakeholders the removal of at least one PS proposal will be a welcome
> reduction in the PS “distraction tax” on the wider eco-system which is
> already causing much harm today.
>
>
>
> Regards,
>
>
>
> James
>
>
>
> *From:* Kaustubha Govind <kaustubhag@google.com>
> *Sent:* 03 June 2022 15:02
> *To:* Theresa O'Connor <hober@apple.com>
> *Cc:* public-privacycg@w3.org
> *Subject:* Re: Status of First-Party Sets
>
>
>
> Hi PrivacyCG chairs and community members,
>
>
>
> Thank you for the thoughtful discussion and feedback on First-Party Sets
> during our time incubating in the PrivacyCG. Given that the proposal
> continues to have multi-vendor and web developer interest, we will continue
> the incubation of this work in the WICG, and we invite those of you who are
> interested in the proposal to continue engagement with us in that forum.
> You can now find our repository at
> https://github.com/WICG/first-party-sets
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Ffirst-party-sets&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UxxmAA6rrrSR8cPe6DkCq6yLN1CA0CL%2Ffv2vmMwG4Ck%3D&reserved=0>
> .
>
>
>
> We plan to organize meetings within the WICG on a one-off basis when we've
> accumulated agenda items; which will be planned and announced via this
> GitHub issue
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Ffirst-party-sets%2Fissues%2F89&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FTrNSkjF6uRg%2BPEHqQNkNgAisQAyxwmkkBuJOpT897w%3D&reserved=0>.
> Please Comment/Watch/Star the issue to follow along, or provide suggestions.
>
>
>
> Thank you,
>
> Kaustubha, Harneet, and Johann
>
>
>
>
>
> On Thu, Jun 2, 2022 at 2:12 PM Theresa O'Connor <hober@apple.com> wrote:
>
> Hi all,
>
> As chairs of the W3C Privacy Community Group, we have decided to drop
> First-Party Sets as a Work Item in the group. Given the discussions the
> group has had and the lack of multi-implementer interest, we see it as
> unlikely to exit incubation. With regards to the concerns about the
> privacy properties of First-Party Sets that were raised in issue 88,
> given the discussion in that issue and during our recent meetings, the
> chairs find that there is no consensus in the CG.
>
> This does not mean that the various use cases that First-Party Sets
> attempted to solve are not worth solving. We welcome alternative
> proposals to address some or all of the use cases First-Party Sets aimed
> to address.
>
> We want to thank everybody who participated in discussions of
> First-Party Sets over the last couple of years. Special thanks to
> Kaustubha Govind, Harneet Sidhana, and Johann Hofmann for all their hard
> work on it.
>
> --
> Erik, Tanvi, & Tess
>
> This email and any attachments are confidential and may also be
> privileged. If you are not the named recipient, please notify the sender
> immediately and do not disclose, use, store or copy the information
> contained herein. This is an email from 51Degrees.mobi Limited, Davidson
> House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E:
> info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.
> This email and any attachments are confidential and may also be
> privileged. If you are not the named recipient, please notify the sender
> immediately and do not disclose, use, store or copy the information
> contained herein. This is an email from 51Degrees.mobi Limited, Davidson
> House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E:
> info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.
>
-- 
Sent from a mobile device